Category Archives: Charity

Post navigation

Breach details

What

A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website.

How much

9,900 records.

When

08 March 2012.

Why

The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £200,000.

When

07 March 2014.

Why the regulator acted

Breach of act

Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures.

Known or should have known

BPAS clearly knew that personal data of this nature needed to be held securely as they decided not to put in place their original ‘appointment booking system’ and provided promises of security in their privacy policy. They should have been able to prevent the contravention by having a detailed specification of the parameters of the CMS to either ensure that data was not stored on the website or provide adequate security for this information.

Likely to cause damage or distress

The website’s privacy policy led users to believe that their information would remain secure and confidential, and the ability of a hacker to access this information is likely to cause substantial distress if this was known, particularly with the fear that this data could be further disseminated. If the data had been misused by the attacker or disclosed to untrustworthy third parties there is a risk that some individuals would have faced physical harm or even death given their ethnicity or social background and the nature of the advice they were seeking (including abortion and sterilisation).

Breach details

What

Confidential client information contained in a folder was left at a cafe.

How much

A folder containing information on one case.

When

June 2012

Why

A lack of effective controls and procedures for taking information out of the office contributed to the loss of this personal data. Excessive information was also being transported as the folder contained personal data not relevant to the scheduled meetings. However, there were general polices and procedures in place and the support worker had received relevant training. The support worker was also acting against previous instructions given by Foyle Women’s Aid.

Regulatory action

Regulator

ICO

Action

Undertaking to comply with the seventh data protection principle.

When

13 August 2013.

Details

Foyle Women’s Aid will immediately implement a formal policy covering the use of personal data outside of the office and provide training to their staff; compliance with these policies shall be regularly monitored. Portable devices used for the storage and transmission of personal data must be encrypted. Physical and other security measures must also be implemented to protect against unauthorised access to personal data.

Breach details

What

Loss of sensitive personal data.

How much

Four records.

When

5 December 2011

Why

A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 70,000

When

10 October 2012

Why the regulator acted

Breach of act

Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.

Known or should have known

The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.

Likely to cause damage or distress

The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

What

How much

101 records.

Why

Two unencrypted memory sticks and papers containing the personal details of 101 individuals were stolen from an employee’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that laptops used to store or transmit personal data are encrypted to a sufficient standard by no later than 16 March 2012. Hard copy documentation must only be removed from the office when absolutely necessary and a specific policy must be put in place to cover working away from the office.

Reason for action

The laptop did not contain any personal data and was password protected, as well as having third software installed allowing its usage to be tracked. No usage has been logged since the threat. However the USB sticks contained sensitive personal information and at the time if the incident, encryption of such devices was not mandatory. There was no specific policy to cover working outside of the office.

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.

What

How much

Why

Three service user’s files were lost following the relocation of premises. It is believed that that the files were unintentionally destroyed in confidential waste.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any policies introduced in relation to the storage, movement and use of personal data are implemented and communicated in all Turning Point offices.

Reason for action

Inquiries revealed that this was the second incident of the same nature within a year and despite implementing a number of safeguards during this relocation, there was no formal written policy in place to cover the relocation of files containing personal data.

Regulator

Regulatory action

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

WhySeveral unencrypted laptop computers, one of which contained personal data, were stolen from the data controller’s Cardiff Office during a burglary.

RegulatorICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for actionThe laptops had been returned to the office for encryption, but this had not yet taken place when the theft occurred. The laptops were neither physically secured by cable locks, nor locked away securely. This was the third data security incident reported to the Commissioner during 2009. It was also revealed that staff did not receive any formal data protection training.

Why
A filing cabinet containing paper records referring to the personal details of 84 individuals undergoing Drug Rehabilitation Requirements was lost during an office move.

RegulatorICO

Regulatory action
Undertaking issued to ensure that the physical security of personal data be ensured, especially during transit. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
A building contractor was employed to transport a number of cabinets to the new sit and insufficient organisational measures were made to prevent cabinets containing data for transfer from being mixed with obsolete cabinets to be disposed of.